Yes, that would work but most sites are not done that way. For example, my GitHub has 2FA via user/pass/TOTP but if I use a Passkey it skips the TOTP and I don’t see a way to require it.
I don’t understand the exact implementation of software based passkeys but they don’t pass the sniff test to me. If I can sync a passkey between devices then it’s nothing more than a more complicated password that doesn’t offer an additional layer of protection. I also run with Bitwarden and a pair of yubikeys.
TOTP/FIDO implementations are generally pretty terrible for most sites. If I’m using a FIDO key I don’t want to be hit with a TOTP request upon login. If I’m logging in with SSO backed by FIDO I don’t want a TOTP request. If I have a FIDO key tied to my account I don’t want it to be possible to login with only my pasword and TOTP.
So let’s get specific. If we aren’t putting passkeys into bitwarden, what are some recommended alternatives.
Yubikey 5 can store 25 or 100 depending on firmware. Because passkeys in hardware don’t sync it seems that having 2 keys registered makes sense. What normal user is going to do this.
Seems like most passkeys are going to end up on Windows Hello, Apple, or Google. My understanding is they are developing a method of secure transfer to mitigate the single point of failure problem.
I’m finding many sites still ask for TOTP on login so I’m comfortable putting my passkey in Bitwarden there. Gonna have to revisit github though…
I personally don’t see that big of an an issue with storing passkeys in Bitwarden, as long as your Bitwarden account is proparly secured with multi-factor authentication or a Passkey on a HW key.
That’s true, but it’s not really a problem. You don’t need to store 25 or 100 passkeys on your YubiKey if you’re using Bitwarden for your regular accounts and only storing the Bitwarden passkey, and maybe a few other critical ones, on the YubiKey.
And if you’re using a password + WebAuthn 2FA for Bitwarden instead of a passkey, then you’re not even using one of those slots.
Well, this comes back to the classic convenience vs. security tradeoff. For Bitwarden and the few other really important accounts that you don’t want to store in your “all-in-one” Bitwarden egg basket, you should probably do that.
Alternatively, you could stick with TOTP for Bitwarden and those key accounts, which is still far better than relying on just a username and password.
Several of the site that I use passkeys on still ask for TOTP which seems reasonable to me.
It seems that the only yubikey that should be managing passkeys is the bio. I suppose Fido2 does require a PIN for single factor login with passkeys so technically it is multi factor. Problem is one of my older yubikeys doesn’t have a pin and it still seems to work.
I’ll probably move my sensitive passkeys to yubikey. Email, GitHub etc. For everything else Bitwarden seem sufficient.
As far as I understand it (and this is an extremely simplified and not fully technically accurate summary of the links I posted below ), whether a PIN is required is determined by the service provider. Most providers seem to set the user verification flag to “preferred”, which means:
If the hardware supports it and a PIN is set, it may be requested.
If no PIN is set, you’ll be logged in directly without it.
However, some providers (e.g. Microsoft) may set this flag to ‘required’. In that case, a hardware key with the PIN disabled won’t work.
EDIT:
Here was an attempt to explain all this compehensively, but I deleted again, as it actually more complicated than I thought, and I found a much better explanation online.
The unfortunate conclusion to all this seems to be it’s better to keep using username/password + MFA via TOTP or Yubikey vs switching to passkeys.
The inconsistent implementation of “preferred” and “required” seem to make user education more complicated. Why can’t nerds develop things for mere mortals.
It was a holy war just to get most of my clients onto MFA in the first place.
Yeah, unfortunately, it seems that we are largely at the mercy of providers and developers when it comes to the security of passkeys. Some compromises have definitely been made in favour of convenience. However, without sync capabilities, adoption probably wouldn’t have taken off in the way that it has.
That said, I don’t see that particular feature as a major issue. Provided that both user presence and user verification are enabled, I think passkeys remain secure enough for most personal use cases, even when stored as software-based credentials in Bitwarden or another password manager — as long as the password manager itself is properly secured, of course.
https://twitter.com/TomLawrenceTech
Lawrence Systems's Amazon Page
https://www.patreon.com/lawrencesystems
), whether a PIN is required is determined by the service provider. Most providers seem to set the user verification flag to “preferred”, which means: